[gnutls-dev] GnuTLS PKCS#11 Engine

Alon Bar-Lev alon.barlev at gmail.com
Sun May 13 21:41:24 CEST 2007


An initial version of gnugls-pkcs11 is available for testing.
It should provide a simple API to access PKCS#11 cryptographic tokens.

I tried to keep the API as simple as I could, by copying some of
gnutls "simple" interface, although I think gnutls interface should be
modified to eliminate the requirement of global variables, and the
programmer to develop a specific code if it uses an engine.
I also cleaned the cli so it will only test the pkcs11 implementation,
I hope to clean this further.

The implementation allows to use several providers at the same time,
support session expiration, token request (if needed), several tokens
at the same time, detect a token if it is removed and insert to a
different slot, loading certificate authorities from token and much

You can download gnutls-pkcs11 from:

Generated documentation is available at:

In order to compile the engine, you should use the following components:
1. http://josefsson.org/gnutls/releases/pkcs11/gnutls-1.7.8.p11.2.tar.bz2
2. http://www.opensc-project.org/files/pkcs11-helper/pkcs11-helper-1.02.tar.bz2

Configure gnutls with --without-pkcs11-scute, I hope that next branch
will have this off by default.

In order to test gnutls-pkcs11 I use:
$ ./configure GNUTLS_CFLAGS="-I${GNUTLS_HOME}/include"
GNUTLS_LIBS="-L${GNUTLS_HOME}/lib -lgnutls"

In order to test, use:
LD_LIBRARY_PATH="${GNUTLS_HOME}/lib" src/gnutls-pkcs11-cli
--add-provider=/usr/lib/pkcs11/<provider>  --cmd=ids

You will get available certificates that may be used, look at the:


$ LD_LIBRARY_PATH="${GNUTLS_HOME}/lib" src/gnutls-pkcs11-cli
--add-provider=/usr/lib/pkcs11/<provider>  --cmd=connect
--host=localhost --port=5556 --pkcs11-id='XXXX'

Where XXXX is the id selected from the list. Please note the single
quote, it is required so sh will not mess with the backslashes.

If it does not work for you, please add --debug=5 and send me the log.

Any comments/suggestions are appriciated!

Best Regards,
Alon Bar-Lev.

More information about the Gnutls-devel mailing list